shekyan / slowhttptest Goto Github PK

Application Layer DoS attack simulator

License: Apache License 2.0

Shell 25.60% C++ 45.29% Makefile 21.70% M4 7.27% Dockerfile 0.14%

security-scanner slowhttptest performance-metrics

slowhttptest's Introduction

Disclaimer

Any actions and or activities related to the code provided is solely your responsibility.The misuse of the information in this website can result in criminal charges brought against the persons in question. The authors will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this tool to break the law.

SlowHTTPTest

SlowHTTPTest is a highly configurable tool that simulates some Application Layer Denial of Service attacks by prolonging HTTP connections in different ways.

Use it to test your web server for DoS vulnerabilites, or just to figure out how many concurrent connections it can handle. SlowHTTPTest works on majority of Linux platforms, OS X and Cygwin - a Unix-like environment and command-line interface for Microsoft Windows, and comes with a Dockerfile to make things even easier.

Check out Wiki for installation and usage details.

Latest official image is available at Docker Hub: docker pull shekyan/slowhttptest:latest

slowhttptest's People

Stargazers

Watchers

Forkers

dmeulen ghubgenius no-problemo zhuomingliang peval hzwjava michalkoczwara drat voroojax msbrogli key20 paulcalabro stupidboy2015 blabla1337 privi samueltt orhiee bajief geektcp alexeydeyneko jingjuan joeyac axelbehrens neutronth bossjones andy737 nithyarajk janepeak520 bahaahassanieh huydx pawmsf johnjohnsp1 hinotori25 rasismeiro dfilyushin phill84 cake654326 id10tttt msisac zerocool443 forbidden-ali rungix solertis canerhuang jijicanyu qingluan lastsky wigrus pal301x shengulong cihadsevim ianmadlenya zhenmingda shalombublil pranavgupta1234 salewski qualys az0ne goghcrow versus realmadaha hxalid zengfan biggerwing hax0rg1rl hkylin rainser dnkls ianatkaplan jas502n killthatbird fatelulu magictoy bollwarm ladysecure raavivijay spartantri saga1015 whydoidoit oscargibson jerrywang1974 yingweizhao sireof rev-lulz heribertosgp laurentperche udeth myweaven ro9ueadmin zoerab butlerwang yingshang blueworld86 arovietnam pedroduartecosta echozaurora sword1987 l0stfake7 chosen1 coldsmoke627

slowhttptest's Issues

why we get the soft version v1.8.1 after compile the v1.8.2 source ?

why we get the soft version v1.8.1 after compile the v1.8.2 source .

Quite / Silent Mode

Hey there. I'm curious if there any silent mode during the process, while still getting the output generated in csv and html. I want to integrate it with bash script to tests multiple urls in the background. Maybe i should redirect the stdout to a temp file insted ?

Thanks in advance ! really cool stuff

Redirect from Google Code URL

Please add a redirect from the old Google Code project to this GitHub repo.

http://code.google.com/p/slowhttptest/

How to use for Window 8?

I download the releases file(slowhttptest-1.7.zip) in my disk,but i don't know how to use?(my system is window 8)

OpenSSL problem during configure - BT5 RC1

Tool will not compile. States "OpenSSL missing". Output below:

root@bt:/pentest/web/slowhttptest-1.2# ./configure 
-prefix=/pentest/web/slowhttptest-1.2
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking for g++... g++
checking whether the C++ compiler works... yes
checking for C++ compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking for style of include used by make... GNU
checking dependency style of g++... gcc3
checking for gcc... gcc
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking dependency style of gcc... gcc3
checking for SSL_library_init in -lssl... no
configure: error: OpenSSL is missing

root@bt:/pentest/web/slowhttptest-1.2# openssl
OpenSSL>

Original issue reported on code.google.com by [email protected] on 18 Oct 2011 at 8:26

Support custom header

We have services that does routing/auth via headers, if those are missing it'll simply refuse the request. I find the -f and -m options quite restrictive, why not support a global option à la curl -H that supports any header?

The ideal usage would look like this:

slowhttptest -H'My-Custom-Header: 28' ...

I need help to start slowhttptest (for newbie)

I'm trying to test Slow HTTP POST vulnerability by using this tool and I'm newbie in this area. So, I've 2 questions as below.

Does anyone can suggest or guide me how to read the report and what is the meaning of the result as below?

intializing
pending
conected
error
closed
service available

How to decide that the host has the risk of slow HTTP POST vulnerability and what's the option parameter supposed to be?
My current option parameter is -t POST -c 20000 -r 2000 -u <host>

OpenSSL-devel missing.

I am using Kali-rolling.
Even though I've installed libssl-dev, I'm unable to compile it.
Please help out.

Thank you.

How to configure slowhttptest to replay this slow read attack

Hi,

I am running a website on an apache webserver which sits behind a nginx proxy.

Scince a couple of days I am faced with attacks like this:

Looks to me like a slow read attack.

In order to mitigate this attack I am trying to reproduce it in a test environment.

But I can´t figure out which parameters to use to get exactly the same kind of attack where the column "SS (Seconds since beginning of most recent request)" in Apaches Server Status is adding up.

Can you give me a hint how can I achieve this?

greetings
Andre

Unable to compile -- missing include files

What steps will reproduce the problem?
1. make

What is the expected output? What do you see instead?
./configure runs successfully, however, multiple compile errors after running 
make.  Missing include files.

What version of the product are you using? On what operating system?
Using slowhttptest version 1.4 on Arch Linux using gcc 4.7.

Please provide any additional information below.

After running make:

make  all-recursive
make[1]: Entering directory `/home/phil/slowhttptest-1.4'
Making all in src
make[2]: Entering directory `/home/phil/slowhttptest-1.4/src'
g++ -DHAVE_CONFIG_H -I. -I..     -g -O2 -MT slowhttptestmain.o -MD -MP -MF 
.deps/slowhttptestmain.Tpo -c -o slowhttptestmain.o slowhttptestmain.cc
slowhttptestmain.cc: In function 'bool parse_int(int&, long int)':
slowhttptestmain.cc:114:21: error: 'optarg' was not declared in this scope
slowhttptestmain.cc:116:50: error: 'optopt' was not declared in this scope
slowhttptestmain.cc:120:57: error: 'optopt' was not declared in this scope
slowhttptestmain.cc: In function 'int main(int, char**)':
slowhttptestmain.cc:170:78: error: 'getopt' was not declared in this scope
slowhttptestmain.cc:224:23: error: 'optarg' was not declared in this scope
slowhttptestmain.cc:271:40: error: 'optopt' was not declared in this scope
make[2]: *** [slowhttptestmain.o] Error 1
make[2]: Leaving directory `/home/phil/slowhttptest-1.4/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/phil/slowhttptest-1.4'
make: *** [all] Error 2


After including "#include <getopt.h>" in slowhttptestmain.cc:

make  all-recursive
make[1]: Entering directory `/home/phil/slowhttptest-1.4'
Making all in src
make[2]: Entering directory `/home/phil/slowhttptest-1.4/src'
g++ -DHAVE_CONFIG_H -I. -I..     -g -O2 -MT slowhttptestmain.o -MD -MP -MF 
.deps/slowhttptestmain.Tpo -c -o slowhttptestmain.o slowhttptestmain.cc
mv -f .deps/slowhttptestmain.Tpo .deps/slowhttptestmain.Po
g++ -DHAVE_CONFIG_H -I. -I..     -g -O2 -MT slowhttptest.o -MD -MP -MF 
.deps/slowhttptest.Tpo -c -o slowhttptest.o slowhttptest.cc
slowhttptest.cc: In member function 'bool 
slowhttptest::SlowHTTPTest::run_test()':
slowhttptest.cc:873:30: error: 'usleep' was not declared in this scope
make[2]: *** [slowhttptest.o] Error 1
make[2]: Leaving directory `/home/phil/slowhttptest-1.4/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/phil/slowhttptest-1.4'
make: *** [all] Error 2

After including "#include <unistd.h>" in slowhttptestmain.cc:

make  all-recursive
make[1]: Entering directory `/home/phil/slowhttptest-1.4'
Making all in src
make[2]: Entering directory `/home/phil/slowhttptest-1.4/src'
g++ -DHAVE_CONFIG_H -I. -I..     -g -O2 -MT slowhttptest.o -MD -MP -MF 
.deps/slowhttptest.Tpo -c -o slowhttptest.o slowhttptest.cc
mv -f .deps/slowhttptest.Tpo .deps/slowhttptest.Po
g++ -DHAVE_CONFIG_H -I. -I..     -g -O2 -MT slowsocket.o -MD -MP -MF 
.deps/slowsocket.Tpo -c -o slowsocket.o slowsocket.cc
slowsocket.cc: In member function 'void slowhttptest::SlowSocket::close()':
slowsocket.cc:268:3: error: '::close' has not been declared
make[2]: *** [slowsocket.o] Error 1
make[2]: Leaving directory `/home/phil/slowhttptest-1.4/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/phil/slowhttptest-1.4'
make: *** [all] Error 2

After including "#include <unistd.h>" in slowsocket.cc

make  all-recursive
make[1]: Entering directory `/home/phil/slowhttptest-1.4'
Making all in src
make[2]: Entering directory `/home/phil/slowhttptest-1.4/src'
g++ -DHAVE_CONFIG_H -I. -I..     -g -O2 -MT slowhttptest.o -MD -MP -MF 
.deps/slowhttptest.Tpo -c -o slowhttptest.o slowhttptest.cc
mv -f .deps/slowhttptest.Tpo .deps/slowhttptest.Po
g++ -DHAVE_CONFIG_H -I. -I..     -g -O2 -MT slowsocket.o -MD -MP -MF 
.deps/slowsocket.Tpo -c -o slowsocket.o slowsocket.cc
mv -f .deps/slowsocket.Tpo .deps/slowsocket.Po
g++  -g -O2  -L/usr/local/lib -lssl -o slowhttptest slowhttptestmain.o 
slowhttptest.o slowsocket.o slowstats.o slowurl.o slowlog.o text-generator.o 
range-generator.o  -lssl 
make[2]: Leaving directory `/home/phil/slowhttptest-1.4/src'
Making all in man
make[2]: Entering directory `/home/phil/slowhttptest-1.4/man'
make[2]: Nothing to be done for `all'.
make[2]: Leaving directory `/home/phil/slowhttptest-1.4/man'
make[2]: Entering directory `/home/phil/slowhttptest-1.4'
make[2]: Leaving directory `/home/phil/slowhttptest-1.4'
make[1]: Leaving directory `/home/phil/slowhttptest-1.4'

Success!

Original issue reported on code.google.com by [email protected] on 7 Jun 2012 at 11:17

Add a probe socket to monitor the actual DoS on the server

Add a probe socket to monitor the actual DoS on the server, e.g. monitor if 
server is able to serve normal, not slow request.

Original issue reported on code.google.com by [email protected] on 1 Sep 2011 at 8:09

slowhttptest -c 1000 -u http://[2001:8db:aaaa:1::2] ipv6 server issue

What steps will reproduce the problem?
1. slowhttptest -c 1000 -u http://[2001:8db:aaaa:1::2]
2.
3.

What is the expected output? What do you see instead?
Error in getaddrinfo: Servname not supported for ai_socktype
Sun Mar 30 14:24:01 2014:main: error setting up slow HTTP test

What version of the product are you using? On what operating system?
1.6 on ubuntu

Please provide any additional information below.

the tool does not seem to support ipv6 servers :(, i have tried making an 
change to your code (modifying the ai_socktype and ai_family) and then 
recompilling the tool. i still received the same output

Original issue reported on code.google.com by [email protected] on 25 Mar 2014 at 7:43

I would like to ask for knowledge to use the script

Duplicate

I'm trying to test Slow HTTP POST vulnerability by using this tool and I'm newbie in this area. So, I've 2 questions as below.

Does anyone can suggest or guide me how to read the report and what is the meaning of the result as below?

intializing
pending
conected
error
closed
service available

How to decide that the host has the risk of slow HTTP POST vulnerability and what's the option parameter supposed to be?
My current option parameter is -t POST -c 20000 -r 2000 -u <host>

Unable to use it on ipv6

slowhttptest -c 1000 -H -i 10 -r 200 -t GET -u https://[fe80::ed21:aac3:20fd:b57e%eth0]/ -x 24 -p 3 -l 200
is producing the following error:

Thu Mar 30 15:47:44 2017:Error in getaddrinfo: Name or service not known
Thu Mar 30 15:47:44 2017:main: error setting up slow HTTP test

I dont have any issue using curl to browse to the target at all . #20

Slow Body Problem

Hi,
When I tried to launch slow body attack and used wireshark to capture data package, I just found protocol in HTTP request is GET, not POST, is there any problem??

Offer HTTP/2

Some attack targets are starting to only support HTTP/2. This tool should offer a way to use either HTTP/1.1 or HTTP/2 for attacks.

build fail 16.04

Making uninstall in src
make[1]: Entering directory '/opt/ITSEC/10.Stresstest/slowhttptest/shekyan/slowhttptest/src'
( cd '/usr/local/bin' && rm -f slowhttptest )
make[1]: Leaving directory '/opt/ITSEC/10.Stresstest/slowhttptest/shekyan/slowhttptest/src'
Making uninstall in man
make[1]: Entering directory '/opt/ITSEC/10.Stresstest/slowhttptest/shekyan/slowhttptest/man'
( cd '/usr/local/share/man/man1' && rm -f slowhttptest.1 )
make[1]: Leaving directory '/opt/ITSEC/10.Stresstest/slowhttptest/shekyan/slowhttptest/man'
make[1]: Entering directory '/opt/ITSEC/10.Stresstest/slowhttptest/shekyan/slowhttptest'
make[1]: Nothing to be done for 'uninstall-am'.
make[1]: Leaving directory '/opt/ITSEC/10.Stresstest/slowhttptest/shekyan/slowhttptest'
Already up-to-date.
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for g++... g++
checking whether the C++ compiler works... yes
checking for C++ compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking for style of include used by make... GNU
checking dependency style of g++... gcc3
checking for gcc... gcc
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... gcc3
checking whether g++ supports C++11 features by default... no
checking whether g++ supports C++11 features with -std=c++11... no
checking whether g++ supports C++11 features with -std=c++0x... no
checking whether g++ supports C++11 features with +std=c++11... no
checking whether g++ supports C++11 features with -h std=c++11... no
configure: No compiler with C++11 support was found
checking for SSL_library_init in -lssl... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking limits.h usability... yes
checking limits.h presence... yes
checking for limits.h... yes
checking netdb.h usability... yes
checking netdb.h presence... yes
checking for netdb.h... yes
checking netinet/in.h usability... yes
checking netinet/in.h presence... yes
checking for netinet/in.h... yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking sys/socket.h usability... yes
checking sys/socket.h presence... yes
checking for sys/socket.h... yes
checking sys/time.h usability... yes
checking sys/time.h presence... yes
checking for sys/time.h... yes
checking for unistd.h... (cached) yes
checking for stdbool.h that conforms to C99... yes
checking for _Bool... yes
checking for an ANSI C-conforming const... yes
checking for size_t... yes
checking whether time.h and sys/time.h may both be included... yes
checking sys/select.h usability... yes
checking sys/select.h presence... yes
checking for sys/select.h... yes
checking for sys/socket.h... (cached) yes
checking types of arguments for select... int,fd_set ,struct timeval *
checking for vprintf... yes
checking for _doprnt... no
checking for atexit... yes
checking for gettimeofday... yes
checking for poll... yes
checking for select... yes
checking for socket... yes
checking for strerror... yes
checking for strstr... yes
checking for strtol... yes
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating man/Makefile
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing depfiles commands
make all-recursive
make[1]: Entering directory '/opt/ITSEC/10.Stresstest/slowhttptest/shekyan/slowhttptest'
Making all in src
make[2]: Entering directory '/opt/ITSEC/10.Stresstest/slowhttptest/shekyan/slowhttptest/src'
g++ -g -O2 -L/usr/local/opt/openssl/lib -L/usr/local/lib -lssl -o slowhttptest slowhttptestmain.o slowhttptest.o slowsocket.o slowstats.o slowurl.o slowlog.o text-generator.o range-generator.o -lssl
slowhttptest.o: In function slowhttptest::SlowHTTPTest::init(char const*, char const*, char const*, char const*, char const*, char const*)': /opt/ITSEC/10.Stresstest/slowhttptest/shekyan/slowhttptest/src/slowhttptest.cc:441: undefined reference to slowhttptest::HTMLDumper::HTMLDumper(std::string const&, std::string const&, std::string const&)'
/opt/ITSEC/10.Stresstest/slowhttptest/shekyan/slowhttptest/src/slowhttptest.cc:443: undefined reference to slowhttptest::CSVDumper::CSVDumper(std::string const&, std::string const&)' /opt/ITSEC/10.Stresstest/slowhttptest/shekyan/slowhttptest/src/slowhttptest.cc:354: undefined reference to slowhttptest::GenerateRangeHeader(int, int, int, std::string)'
slowhttptest.o: In function slowhttptest::SlowHTTPTest::get_random_extra()': /opt/ITSEC/10.Stresstest/slowhttptest/shekyan/slowhttptest/src/slowhttptest.cc:205: undefined reference to slowhttptest::RandomTextGenerator::get_text(unsigned long)'
/opt/ITSEC/10.Stresstest/slowhttptest/shekyan/slowhttptest/src/slowhttptest.cc:207: undefined reference to slowhttptest::RandomTextGenerator::get_text(unsigned long)' collect2: error: ld returned 1 exit status Makefile:351: recipe for target 'slowhttptest' failed make[2]: *** [slowhttptest] Error 1 make[2]: Leaving directory '/opt/ITSEC/10.Stresstest/slowhttptest/shekyan/slowhttptest/src' Makefile:359: recipe for target 'all-recursive' failed make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory '/opt/ITSEC/10.Stresstest/slowhttptest/shekyan/slowhttptest' Makefile:300: recipe for target 'all' failed make: *** [all] Error 2 Making install in src make[1]: Entering directory '/opt/ITSEC/10.Stresstest/slowhttptest/shekyan/slowhttptest/src' g++ -g -O2 -L/usr/local/opt/openssl/lib -L/usr/local/lib -lssl -o slowhttptest slowhttptestmain.o slowhttptest.o slowsocket.o slowstats.o slowurl.o slowlog.o text-generator.o range-generator.o -lssl slowhttptest.o: In function slowhttptest::SlowHTTPTest::init(char const*, char const*, char const*, char const*, char const*, char const*)':
/opt/ITSEC/10.Stresstest/slowhttptest/shekyan/slowhttptest/src/slowhttptest.cc:441: undefined reference to slowhttptest::HTMLDumper::HTMLDumper(std::string const&, std::string const&, std::string const&)' /opt/ITSEC/10.Stresstest/slowhttptest/shekyan/slowhttptest/src/slowhttptest.cc:443: undefined reference to slowhttptest::CSVDumper::CSVDumper(std::string const&, std::string const&)'
/opt/ITSEC/10.Stresstest/slowhttptest/shekyan/slowhttptest/src/slowhttptest.cc:354: undefined reference to slowhttptest::GenerateRangeHeader(int, int, int, std::string*)' slowhttptest.o: In function slowhttptest::SlowHTTPTest::get_random_extra()':
/opt/ITSEC/10.Stresstest/slowhttptest/shekyan/slowhttptest/src/slowhttptest.cc:205: undefined reference to slowhttptest::RandomTextGenerator::get_text(unsigned long)' /opt/ITSEC/10.Stresstest/slowhttptest/shekyan/slowhttptest/src/slowhttptest.cc:207: undefined reference to slowhttptest::RandomTextGenerator::get_text(unsigned long)'
collect2: error: ld returned 1 exit status
Makefile:351: recipe for target 'slowhttptest' failed
make[1]: *** [slowhttptest] Error 1
make[1]: Leaving directory '/opt/ITSEC/10.Stresstest/slowhttptest/shekyan/slowhttptest/src'
Makefile:359: recipe for target 'install-recursive' failed
make: *** [install-recursive] Error 1
✔ /opt/ITSEC-Install-Scripts [dev|✚ 1]
15:11 $

Doesn't work

apt-get install slowhttptest -y

While trying the copy pasted examples from the readme:
Option - requires an argument.
Try 'slowhttptest -h' for more information

It never works. It doesn't care that everything is in accordance with the manual.

custom http headers - user-agent

Is it possible to customise the user-agent or any other http header (cookie, referer)?
Thank you.

./configure

centos7 安装不了

99% CPU usage

- What steps will reproduce the problem?

running a test like 
slowhttptest -c 2000 -X -r 200 -w 512 -y 1024 -n 5 -z 32 -k 8 -u http://testurl 
-p 10 -l 350 

Then monitoring sowhttptest CPU usage with top shows that usage start around 
30% during the connections ramping up phase but when reaching the DDOs state 
then i see a 99% CPU use and my laptop runs hot.

If i use a tool like cpulimit to artificially limit the CPU use of slowhttptest 
to something like 20% it results in a same level of efficiency aka my test url 
is still DOSed, indicating that slowhttptest may not really need to use all 
this power.




- What version of the product are you using? On what operating system?

tested with last release and last trunk on fedora 16 64bit. My laptop is quite 
powerful, it's a core i7 sandybrige. When runnin slowhttptest the CPU 
overclocks itself to 3.4Ghz in order to accomodate the 99% usage. If limited to 
20% my CPU is able to stay cool and limits its clock to a more usual clock 
speed.

Original issue reported on code.google.com by [email protected] on 10 Apr 2012 at 1:40

Can't Link with libssl.so not in default directory or /usr/local/lib

It is not possible to build slowhttptest if libssl.so is not in the default 
library search path or /usr/local/bin. ./configure works as intended when 
started with CPPFLAGS and LDFLAGS, e.g. 

LDFLAGS=-Wl,-rpath,/home/foo/buildlib\ -L/home/foo/build//lib 
CPPFLAGS=-I/home/foo/build/include ./configure --prefix=/home/foo/slowhttptest/

and the build proceeds until linking finally fails. It turns out that 
src/Makefile.am explicitly removes CFLAGS and LDFLAGS. Instead of

CFLAGS=-Wall -I/usr/local/include
LDFLAGS=-L/usr/local/lib -lssl


it should probably set

CFLAGS=@CFLAGS@
CFLAGS+=-Wall -I/usr/local/include
LDFLAGS=@LDFLAGS@
LDFLAGS+=-L/usr/local/lib -lssl

or 

CFLAGS=@CFLAGS@ -Wall -I/usr/local/include
LDFLAGS=@LDFLAGS@ -L/usr/local/lib -lssl

Original issue reported on code.google.com by [email protected] on 26 Jul 2013 at 2:02

Wannna Static compilation

Hi，great job for this，just asking that how can i static compilate slowhttptest

New formal release

Are there any plans to prepare a new formal release, with all changes and openssl-1.1.1 support?
Also, there is a PR open which refers build scripts modernization.

help pls

What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.


hello i have problem 
root@bt:~/slowhttptest-1.1# ./configure –prefix=PREFIX
configure: error: invalid variable name: `–prefix'
how to fix this

Original issue reported on code.google.com by [email protected] on 31 Aug 2011 at 11:30

Number of connections capped at 4090

Number of connections capped at 4090 no matter what server I test on. Why does 
it not go higher than 4090?

Original issue reported on code.google.com by [email protected] on 28 Sep 2014 at 12:54

support web proxy for probe connection

support web proxy for probe connection

Original issue reported on code.google.com by [email protected] on 5 Mar 2012 at 4:06

Fails SSL/TLS connection against load balancer requiring SNI

If the remote target is a load balancer that is requiring TLSv1.2 and SNI with hostname identification then slowhttptest fails to successfully connect. An option to set the SNI hostname would appears to be needed.

slowhttptest -H -u https://loadbal.sni.example.com

slow HTTP test status on 0th second:
initializing: 0
pending: 1
connected: 0
error: 0
closed: 0
service available: YES
Wed Dec 2 20:54:55 2020:
Test ended on 1th second
Exit status: Connection refused

Support reopening dropped connections

Currently, if a server drops a connection then slowhttptest makes no attempt to establish a replacement connection. This means that it's ineffective against servers that have a hard limit on connection duration. It would be cool if there was a command line argument to automatically replace dropped connections. What do you think?

How to access the reports

Hi,
I used the docker build to build the image and I was able to run it like this,

docker run slowhttptest:latest -c 100 -H -g -i 10 -r 20 -t GET -u https://localhost/api/resources/365037?api-key=1234 -p 10

It seemed to have ran fine and I got this output,

slow HTTP test status on 240th second:

initializing: 0
pending: 0
connected: 100
error: 0
closed: 0
service available: YES
Fri Nov 16 13:48:33 2018:
Test ended on 241th second
Exit status: Hit test time limit
CSV report saved to slow_2018-11-16_13-44-32.csv
HTML report saved to slow_2018-11-16_13-44-32.html

Now where are the csv and html files stored?

Thanks,
Arun

How to add cookie header in request

Hi Shekyan,

The slowhttptest tools is very helpful in testing DOS attacks on the server. I am trying to use this tool to test our application which requires authentication for successful access.

As a part of authentication we use SAML so the request gets redirected to SAML server if it does not find authentication cookies in it.

So to test using this tool I was thinking if I can add authentication cookies in request headers so the server will respond correctly.

Can't be build under cygwin, because it does not have execinfo.h

Just a thought, why doy you need it?
I'd suggest an option to disable it with configure

Original issue reported on code.google.com by [email protected] on 13 Jan 2012 at 6:31

Fix manpage warning

I have prepared the slowhttptest Debian package. I'm just Debian Maintainer has 
no rights to upload new package to Debian but the package could be uploaded to 
Debian via sponsoring method, Debian Developer should review it.

BTW, The lintian (Debian package checker) has warned me that there are a few 
warnings in the manpage file.

I have fixed it, patch is attached.

Please review

Original issue reported on code.google.com by [email protected] on 13 Dec 2013 at 5:16

Attachments:

fix-manpage-warning.patch

compilation fails since 1.5

Compilation fails since 1.5 and later revisions (281 at this time) :

Checked out revision 281.
[sheepdestroyer@sheepora ~]$ cd slowhttptest-read-only/
[sheepdestroyer@sheepora slowhttptest-read-only]$ ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking for g++... g++
checking whether the C++ compiler works... yes
checking for C++ compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking for style of include used by make... GNU
checking dependency style of g++... gcc3
checking for gcc... gcc
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking dependency style of gcc... gcc3
checking for SSL_library_init in -lssl... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking limits.h usability... yes
checking limits.h presence... yes
checking for limits.h... yes
checking netdb.h usability... yes
checking netdb.h presence... yes
checking for netdb.h... yes
checking netinet/in.h usability... yes
checking netinet/in.h presence... yes
checking for netinet/in.h... yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking sys/socket.h usability... yes
checking sys/socket.h presence... yes
checking for sys/socket.h... yes
checking sys/time.h usability... yes
checking sys/time.h presence... yes
checking for sys/time.h... yes
checking for unistd.h... (cached) yes
checking for stdbool.h that conforms to C99... yes
checking for _Bool... yes
checking for an ANSI C-conforming const... yes
checking for size_t... yes
checking whether time.h and sys/time.h may both be included... yes
checking sys/select.h usability... yes
checking sys/select.h presence... yes
checking for sys/select.h... yes
checking for sys/socket.h... (cached) yes
checking types of arguments for select... int,fd_set *,struct timeval *
checking for vprintf... yes
checking for _doprnt... no
checking for atexit... yes
checking for gettimeofday... yes
checking for poll... yes
checking for select... yes
checking for socket... yes
checking for strerror... yes
checking for strstr... yes
checking for strtol... yes
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating man/Makefile
config.status: creating config.h
config.status: executing depfiles commands
[sheepdestroyer@sheepora slowhttptest-read-only]$ make
 cd . && /bin/sh /home/sheepdestroyer/slowhttptest-read-only/missing --run automake-1.11 --foreign
aclocal.m4:16: warning: this file was generated for autoconf 2.67.
You have another version of autoconf.  It may work, but is not guaranteed to.
If you have problems, you may need to regenerate the build system entirely.
To do so, use the procedure documented by the package, typically `autoreconf'.
configure.ac:6: version mismatch.  This is Automake 1.11.3,
configure.ac:6: but the definition used by this AM_INIT_AUTOMAKE
configure.ac:6: comes from Automake 1.11.1.  You should recreate
configure.ac:6: aclocal.m4 with aclocal and run automake again.
WARNING: `automake-1.11' is probably too old.  You should only need it if
         you modified `Makefile.am', `acinclude.m4' or `configure.ac'.
         You might want to install the `Automake' and `Perl' packages.
         Grab them from any GNU archive site.
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh 
/home/sheepdestroyer/slowhttptest-read-only/missing --run autoconf
/bin/sh ./config.status --recheck
running CONFIG_SHELL=/bin/sh /bin/sh ./configure --no-create --no-recursion
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking for g++... g++
checking whether the C++ compiler works... yes
checking for C++ compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking for style of include used by make... GNU
checking dependency style of g++... gcc3
checking for gcc... gcc
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking dependency style of gcc... gcc3
checking for SSL_library_init in -lssl... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking limits.h usability... yes
checking limits.h presence... yes
checking for limits.h... yes
checking netdb.h usability... yes
checking netdb.h presence... yes
checking for netdb.h... yes
checking netinet/in.h usability... yes
checking netinet/in.h presence... yes
checking for netinet/in.h... yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking sys/socket.h usability... yes
checking sys/socket.h presence... yes
checking for sys/socket.h... yes
checking sys/time.h usability... yes
checking sys/time.h presence... yes
checking for sys/time.h... yes
checking for unistd.h... (cached) yes
checking for stdbool.h that conforms to C99... yes
checking for _Bool... yes
checking for an ANSI C-conforming const... yes
checking for size_t... yes
checking whether time.h and sys/time.h may both be included... yes
checking sys/select.h usability... yes
checking sys/select.h presence... yes
checking for sys/select.h... yes
checking for sys/socket.h... (cached) yes
checking types of arguments for select... int,fd_set *,struct timeval *
checking for vprintf... yes
checking for _doprnt... no
checking for atexit... yes
checking for gettimeofday... yes
checking for poll... yes
checking for select... yes
checking for socket... yes
checking for strerror... yes
checking for strstr... yes
checking for strtol... yes
configure: creating ./config.status
 /bin/sh ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating man/Makefile
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing depfiles commands
(CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh 
/home/sheepdestroyer/slowhttptest-read-only/missing --run autoheader)
rm -f stamp-h1
touch config.h.in
cd . && /bin/sh ./config.status config.h
config.status: creating config.h
config.status: config.h is unchanged
make  all-recursive
make[1]: Entering directory `/home/sheepdestroyer/slowhttptest-read-only'
Making all in src
make[2]: Entering directory `/home/sheepdestroyer/slowhttptest-read-only/src'
g++ -DHAVE_CONFIG_H -I. -I..     -g -O2 -MT slowhttptestmain.o -MD -MP -MF 
.deps/slowhttptestmain.Tpo -c -o slowhttptestmain.o slowhttptestmain.cc
mv -f .deps/slowhttptestmain.Tpo .deps/slowhttptestmain.Po
g++ -DHAVE_CONFIG_H -I. -I..     -g -O2 -MT slowhttptest.o -MD -MP -MF 
.deps/slowhttptest.Tpo -c -o slowhttptest.o slowhttptest.cc
slowhttptest.cc: In member function ‘bool 
slowhttptest::SlowHTTPTest::run_test()’:
slowhttptest.cc:953:30: error: ‘usleep’ was not declared in this scope
make[2]: *** [slowhttptest.o] Error 1
make[2]: Leaving directory `/home/sheepdestroyer/slowhttptest-read-only/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/sheepdestroyer/slowhttptest-read-only'
make: *** [all] Error 2

Original issue reported on code.google.com by [email protected] on 8 Sep 2012 at 2:51

CPU usage still at 99% on last revision

Hi

tested today the last revision but it seems the problem is not solved :

#slowhttptest -c 6000 -X -r 200 -w 512 -y 1024 -n 5 -z 32 -k 8 -u 
http://testurl -p 10 -l 6000

- during initialization phase the cpu stays at around 35% and pending 
connections ramp up :

Fri Sep 21 13:26:37 2012:slow HTTP test status on 30th second:
initializing:        0
pending:             3527
connected:           28
error:               0
closed:              0
service available:   NO
Fri Sep 21 13:26:42 2012:slow HTTP test status on 35th second:
initializing:        0
pending:             4133
connected:           28
error:               0
closed:              0
service available:   NO
Fri Sep 21 13:26:47 2012:slow HTTP test status on 40th second:
initializing:        0
pending:             4781
connected:           28
error:               0
closed:              0
service available:   NO
Fri Sep 21 13:26:52 2012:slow HTTP test status on 45th second:
initializing:        0
pending:             5412
connected:           28
error:               0
closed:              0
service available:   NO
Fri Sep 21 13:26:57 2012:slow HTTP test status on 50th second:
initializing:        0
pending:             5972
connected:           28
error:               0
closed:              0
service available:   NO


- but after all 6000 connections are in pending mode, the cpu usage is now 99% 
and closed connections start increasing:

Fri Sep 21 13:27:12 2012:slow HTTP test status on 65th second:
initializing:        0
pending:             5924
connected:           28
error:               0
closed:              48
service available:   NO
Fri Sep 21 13:27:17 2012:slow HTTP test status on 70th second:
initializing:        0
pending:             5364
connected:           28
error:               0
closed:              608
service available:   NO
Fri Sep 21 13:27:22 2012:slow HTTP test status on 75th second:
initializing:        0
pending:             4769
connected:           28
error:               0
closed:              1203
service available:   NO
Fri Sep 21 13:27:27 2012:slow HTTP test status on 80th second:
initializing:        0
pending:             4193
connected:           28
error:               0
closed:              1779
service available:   NO
Fri Sep 21 13:27:32 2012:slow HTTP test status on 85th second:
initializing:        0
pending:             3606
connected:           28
error:               0
closed:              2366
service available:   NO
Fri Sep 21 13:27:37 2012:slow HTTP test status on 90th second:
initializing:        0
pending:             2997
connected:           28
error:               0
closed:              2975
service available:   NO



- finally i reach a state where almost all connections whent from pending to 
closed, just 129 left and it stays that way for a long time with cpu at 99% and 
target DoSed:

Fri Sep 21 13:33:17 2012:slow HTTP test status on 430th second:
initializing:        0
pending:             129
connected:           28
error:               0
closed:              5843
service available:   NO
Fri Sep 21 13:33:22 2012:slow HTTP test status on 435th second:
initializing:        0
pending:             129
connected:           28
error:               0
closed:              5843
service available:   NO
Fri Sep 21 13:33:27 2012:slow HTTP test status on 440th second:
initializing:        0
pending:             129
connected:           28
error:               0
closed:              5843
service available:   NO
Fri Sep 21 13:33:32 2012:slow HTTP test status on 445th second:
initializing:        0
pending:             129
connected:           28
error:               0
closed:              5843
service available:   NO
Fri Sep 21 13:33:37 2012:slow HTTP test status on 450th second:
initializing:        0
pending:             129
connected:           28
error:               0
closed:              5843
service available:   NO
Fri Sep 21 13:33:42 2012:slow HTTP test status on 455th second:
initializing:        0
pending:             129
connected:           28
error:               0
closed:              5843
service available:   NO
Fri Sep 21 13:33:47 2012:slow HTTP test status on 460th second:
initializing:        0
pending:             129
connected:           28
error:               0
closed:              5843
service available:   NO
Fri Sep 21 13:33:52 2012:slow HTTP test status on 465th second:
initializing:        0
pending:             129
connected:           28
error:               0
closed:              5843
service available:   NO
Fri Sep 21 13:33:57 2012:slow HTTP test status on 470th second:
initializing:        0
pending:             129
connected:           28
error:               0
closed:              5843
service available:   NO
Fri Sep 21 13:34:02 2012:slow HTTP test status on 475th second:
initializing:        0
pending:             129
connected:           28
error:               0
closed:              5843
service available:   NO
Fri Sep 21 13:34:07 2012:slow HTTP test status on 480th second:
initializing:        0
pending:             129
connected:           28
error:               0
closed:              5843
service available:   NO
Fri Sep 21 13:34:12 2012:slow HTTP test status on 485th second:
initializing:        0
pending:             129
connected:           28
error:               0
closed:              5843
service available:   NO
Fri Sep 21 13:34:17 2012:slow HTTP test status on 490th second:
initializing:        0
pending:             129
connected:           28
error:               0
closed:              5843
service available:   NO

Original issue reported on code.google.com by [email protected] on 21 Sep 2012 at 11:43

incorrect logging of SSL traffic

What steps will reproduce the problem?
1. Any https target

run_test:initial -1 of 180 bytes sent on slow post socket 4:

should be replaced by connection in progress in log file.

Original issue reported on code.google.com by [email protected] on 14 Jul 2011 at 5:37

direct mode -d'my custom embedded data'
file mode -d@path_where_my_data_is.json

Draft new release

The Wiki has a link to the google code repo, which is now shut down: http://code.google.com/p/slowhttptest/downloads/list

I am requesting a release be drafted and the link updated
https://github.com/shekyan/slowhttptest/releases

'openssl/ssl.h' file not found during make

I get the following error while executing make when installing slowhttptest:

g++ -DHAVE_CONFIG_H -I. -I..     -g -O2 -MT slowhttptest.o -MD -MP -MF .deps/slowhttptest.Tpo -c -o slowhttptest.o slowhttptest.cc
In file included from slowhttptest.cc:48:
./slowsocket.h:36:10: fatal error: 'openssl/ssl.h' file not found
#include <openssl/ssl.h>

I have openssl installed on my mac

brew list | grep openssl
openssl
[email protected]

Anyone knows how to solve this issue?

License text

It would be nice if you add the original and complete license as text file 
(COPYING) to the source files. Thanks.

Original issue reported on code.google.com by [email protected] on 16 Nov 2012 at 2:22

Proxy list

can i use HTTP Proxy list instead just one Proxy ?

Add IP v6 support

Add IP v6 support

Original issue reported on code.google.com by [email protected] on 14 Jul 2011 at 9:07

limit of 1024 file descriptors to monitor

select() is limitied to 1024 file descriptors. 
Switch to poll().

Original issue reported on code.google.com by [email protected] on 14 Jul 2011 at 2:35

Slow HTTP and Slow Post not working as slowloris or rudy

Hi,

I am installed slowhttptest,

In link:
https://blog.qualys.com/securitylabs/2011/08/25/new-open-source-tool-for-slow-http-attack-vulnerabilities

says slowloris has lost of generated headers, each of headers has time delay before post.

I am watching your script via netcat server, your code only send standart headers not generated headers.

And also slowpost mode only send foo=bar not generated lots of post

Thanks

Build failure on FreeBSD

Build failure on FreeBSD

Original issue reported on code.google.com by [email protected] on 8 Jan 2012 at 5:12

Option - requires an argument.

What steps will reproduce the problem?
After installation just enter "slowhttptest -u https://www.google.at or 
anything of the Wiki tutorials. 

What is the expected output? What do you see instead?
root@xfs:~# slowhttptest -u https://www.google.at
Option - requires an argument.
Try 'slowhttptest -h' for more information


What version of the product are you using? On what operating system?
newest version. clean Xubuntu

Original issue reported on code.google.com by [email protected] on 26 Nov 2013 at 2:36

Add support vor other HTTP verbs

What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

Original issue reported on code.google.com by [email protected] on 2 Aug 2011 at 4:46

I can't compile

I can't compile the program. Log in attach.

Original issue reported on code.google.com by [email protected] on 13 Jan 2012 at 12:15